Public Naming of Koobface Gang Is a Minor Victory in a Huge Battle

Below:

Next story in Security

Researchers have named five Russian cybercriminals believed to be
responsible for operating the Koobface worm, which has wreaked
havoc on Facebook since 2008, spreading fake anti-virus ads and
hijacking Web searches. The public shaming, however, isn't likely
to make a dent in the overwhelming number of scams Facebook users
deal with every day, at least until the law catches up with the
suspected crooks.

The identities of the five men — Anton Korotchenko, Alexander
Koltysehv, Roman Koturbach, Svyatoslav Polichuk and Stanislav
Avdeyko — were uncovered by Facebook's security team along with
independent researchers Jan Drömer and Dancho Danchev and Dirk
Kollberg of the security firm Sophos. (The New York Times was the
first to publish the full names of all the
members of the "Koobface gang.")

From Oct. 2009 to Feb. 2010, Drömer and Kollberg tracked the
worm's operators, who used Koobface (an anagram of Facebook)
primarily to spread advertisements for fake anti-virus software.
The group netted at least $2 million since its inception in 2008.
(Danchev has run a parallel investigation.)

Facebook issued its own statement on the identification of
the Koobface gang Tuesday afternoon. It said, "While we have
been able to keep Koobface off Facebook, we won't declare
victory against the virus until its authors are brought to
justice." Koobface, Facebook said, has not been spotted on
Facebook for more than nine months.

Authorities have not filed any charges against the suspected
criminals.

The information that led Facebook to unmask the Koobface gang's
members was shared with authorities years ago, and while the
suspected criminals' names may now be public, as are tales of
their lavish vacations to Bali, Turkey and Monte Carlo, there's a
gap separating the naming of the gang from any real punishment.

"We know that cybercrime investigations can take a long time, but
the ball is really in the Russian police's court to take action
now," Graham Cluley, senior technology consultant with the
security firm Sophos, told SecurityNewsDaily.

Cybercriminal investigations, Cluley said, often take years, and,
as in cases like this one and
Operation 'Trident Tribunal', a two-year hunt for scareware
crooks that employed the coordinated efforts of the FBI and law
enforcement from 11 countries, authorities have to navigate a
terrain ridden with of legal loopholes.

Russia is the 'dark side of the moon'

"The crooks, the victims and the evidence are typically
distributed through many legal jurisdictions," Cluley said. "This
makes coordinating investigations, charges and prosecutions much
more complex than handling crimes which happened in one city or
country."

The five men responsible for running the botnet that infected
between 400,000 and 800,000 computers since 2008 may be
especially difficult to bring to justice given their home turf.

"Sadly, Saint Petersburg might as well be on the dark side of the
moon," said Cluley. "It's very hard for the authorities in the
U.S.A. and U.K to influence the Russian authorities."

The cart before the horse

Unmasking the Koobface gang may have been a hasty decision, and
one that could force the group to adapt, and even thrive, by
shifting its tactics.

"This kind of disclosure generally doesn't help law enforcement,"
Roel Schouwenberg, senior researcher for the security company
Kaspersky Lab, told SecurityNewsDaily. "The Koobface authors are
now informed and can go into hiding and/or change-up their game,
which will be no problem given their financial situation. I'm
strongly convinced that this type of attribution research should
only be disclosed after charges have been pressed, not before."

To Facebook's credit, Schouwenberg said the social network "has
been good responding to new threats and coming up with
measures to combat them."

There's no way to predict if shining a light on the Koobface
criminals will change day-to-day operations on Facebook, a site
that, given its overwhelming popularity, is a petri dish of
threats and scams aimed at disarming unsuspecting users.

Cluley agreed, adding, "Anything which takes cybercriminals
offline has to be good for the entire Internet community, not
just Facebook users. However, if the Koobface gang was
permanently put out of business it would be a brave man who
betted that there wouldn't be other criminals waiting to take
their place."

Both experts said only time will tell if the public exposure of
the notorious criminal gang members will deter future scammers
from following in their ranks.